<!doctype html>

<html>
<head>
  <link rel="shortcut icon" href="static/images/favicon.ico" type="image/x-icon">
  <title>htmlsanitizer.js (Closure Library API Documentation - JavaScript)</title>
  <link rel="stylesheet" href="static/css/base.css">
  <link rel="stylesheet" href="static/css/doc.css">
  <link rel="stylesheet" href="static/css/sidetree.css">
  <link rel="stylesheet" href="static/css/prettify.css">

  <script>
     var _staticFilePath = "static/";
     var _typeTreeName = "goog";
     var _fileTreeName = "Source";
  </script>

  <script src="static/js/doc.js">
  </script>


  <meta charset="utf8">
</head>

<body onload="grokdoc.onLoad();">

<div id="header">
  <div class="g-section g-tpl-50-50 g-split">
    <div class="g-unit g-first">
      <a id="logo" href="index.html">Closure Library API Documentation</a>
    </div>

    <div class="g-unit">
      <div class="g-c">
        <strong>Go to class or file:</strong>
        <input type="text" id="ac">
      </div>
    </div>
  </div>
</div>

<div class="clear"></div>

<h2><a href="closure_third_party_closure_goog_caja_string_html_htmlsanitizer.js.html">htmlsanitizer.js</a></h2>

<pre class="prettyprint lang-js">
<a name="line1"></a>// Copyright 2006-2008, The Google Caja project.
<a name="line2"></a>// Modifications Copyright 2009 The Closure Library Authors. All Rights Reserved.
<a name="line3"></a>// All Rights Reserved
<a name="line4"></a>
<a name="line5"></a>/**
<a name="line6"></a> * @license Portions of this code are from the google-caja project, received by
<a name="line7"></a> * Google under the Apache license (http://code.google.com/p/google-caja/).
<a name="line8"></a> * All other code is Copyright 2009 Google, Inc. All Rights Reserved.
<a name="line9"></a>
<a name="line10"></a>// Copyright (C) 2006 Google Inc.
<a name="line11"></a>//
<a name="line12"></a>// Licensed under the Apache License, Version 2.0 (the &quot;License&quot;);
<a name="line13"></a>// you may not use this file except in compliance with the License.
<a name="line14"></a>// You may obtain a copy of the License at
<a name="line15"></a>//
<a name="line16"></a>//      http://www.apache.org/licenses/LICENSE-2.0
<a name="line17"></a>//
<a name="line18"></a>// Unless required by applicable law or agreed to in writing, software
<a name="line19"></a>// distributed under the License is distributed on an &quot;AS IS&quot; BASIS,
<a name="line20"></a>// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
<a name="line21"></a>// See the License for the specific language governing permissions and
<a name="line22"></a>// limitations under the License.
<a name="line23"></a>
<a name="line24"></a> */
<a name="line25"></a>
<a name="line26"></a>/**
<a name="line27"></a> * @fileoverview An HTML sanitizer that can satisfy a variety of security
<a name="line28"></a> * policies. The HTML sanitizer is built around a SAX parser and HTML element
<a name="line29"></a> * and attributes schemas.
<a name="line30"></a> *
<a name="line31"></a> * This package provides html sanitizing and parsing functions.
<a name="line32"></a> * {@code goog.string.htmlSanitize} is basically just using a custom written
<a name="line33"></a> * {@code goog.string.HtmlSaxHandler} that outputs safe html as the unsafe
<a name="line34"></a> * html content is parsed by {@code goog.string.HtmlParser}.
<a name="line35"></a> *
<a name="line36"></a> * Examples of usage of the static {@code goog.string.htmlSanitize}:
<a name="line37"></a> * &lt;pre&gt;
<a name="line38"></a> *   var safeHtml = goog.string.html.htmlSanitize(&#39;&lt;script src=&quot;xss.js&quot; /&gt;&#39;);
<a name="line39"></a> *   el.innerHTML = safeHtml;
<a name="line40"></a> * &lt;/pre&gt;
<a name="line41"></a> *
<a name="line42"></a> * We use {@code goog.string.StringBuffer} for fast string concatenation, since
<a name="line43"></a> * htmlSanitize is relatively heavy considering that it is designed to parse
<a name="line44"></a> * large html files.
<a name="line45"></a> *
<a name="line46"></a> * @supported IE6, IE7, IE8, FF1.5, FF2, FF3, Chrome 4.0, Safari and Opera 10.
<a name="line47"></a> */
<a name="line48"></a>
<a name="line49"></a>goog.provide(&#39;goog.string.html.HtmlSanitizer&#39;);
<a name="line50"></a>goog.provide(&#39;goog.string.html.HtmlSanitizer.AttributeType&#39;);
<a name="line51"></a>goog.provide(&#39;goog.string.html.HtmlSanitizer.Attributes&#39;);
<a name="line52"></a>goog.provide(&#39;goog.string.html.htmlSanitize&#39;);
<a name="line53"></a>
<a name="line54"></a>goog.require(&#39;goog.string.StringBuffer&#39;);
<a name="line55"></a>goog.require(&#39;goog.string.html.HtmlParser&#39;);
<a name="line56"></a>goog.require(&#39;goog.string.html.HtmlParser.EFlags&#39;);
<a name="line57"></a>goog.require(&#39;goog.string.html.HtmlParser.Elements&#39;);
<a name="line58"></a>goog.require(&#39;goog.string.html.HtmlSaxHandler&#39;);
<a name="line59"></a>
<a name="line60"></a>
<a name="line61"></a>/**
<a name="line62"></a> * Strips unsafe tags and attributes from HTML.
<a name="line63"></a> *
<a name="line64"></a> * @param {string} htmlText The HTML text to sanitize.
<a name="line65"></a> * @param {function(string) : string} opt_urlPolicy A transform to apply to URL
<a name="line66"></a> *     attribute values.
<a name="line67"></a> * @param {function(string) : string} opt_nmTokenPolicy A transform to apply to
<a name="line68"></a> *     names, IDs, and classes.
<a name="line69"></a> * @return {string} A sanitized HTML, safe to be embedded on the page.
<a name="line70"></a> */
<a name="line71"></a>goog.string.html.htmlSanitize = function(
<a name="line72"></a>    htmlText, opt_urlPolicy, opt_nmTokenPolicy) {
<a name="line73"></a>  var stringBuffer = new goog.string.StringBuffer();
<a name="line74"></a>  var handler = new goog.string.html.HtmlSanitizer(
<a name="line75"></a>      stringBuffer, opt_urlPolicy, opt_nmTokenPolicy);
<a name="line76"></a>  var parser = new goog.string.html.HtmlParser();
<a name="line77"></a>  parser.parse(handler, htmlText);
<a name="line78"></a>  return stringBuffer.toString();
<a name="line79"></a>};
<a name="line80"></a>
<a name="line81"></a>
<a name="line82"></a>/**
<a name="line83"></a> * An implementation of the {@code goog.string.HtmlSaxHandler} interface that
<a name="line84"></a> * will take each of the html tags and sanitize it.
<a name="line85"></a> *
<a name="line86"></a> * @param {goog.string.StringBuffer} stringBuffer A string buffer, used to
<a name="line87"></a> *     output the html as we sanitize it.
<a name="line88"></a> * @param {?function(string):string} opt_urlPolicy An optional function to be
<a name="line89"></a> *     applied in URLs.
<a name="line90"></a> * @param {?function(string):string} opt_nmTokenPolicy An optional function to
<a name="line91"></a> *     be applied in names.
<a name="line92"></a> * @constructor
<a name="line93"></a> * @extends {goog.string.html.HtmlSaxHandler}
<a name="line94"></a> */
<a name="line95"></a>goog.string.html.HtmlSanitizer = function(
<a name="line96"></a>    stringBuffer, opt_urlPolicy, opt_nmTokenPolicy) {
<a name="line97"></a>  goog.string.html.HtmlSaxHandler.call(this);
<a name="line98"></a>
<a name="line99"></a>  /**
<a name="line100"></a>   * The string buffer that holds the sanitized version of the html. Used
<a name="line101"></a>   * during the parse time.
<a name="line102"></a>   * @type {goog.string.StringBuffer}
<a name="line103"></a>   * @private
<a name="line104"></a>   */
<a name="line105"></a>  this.stringBuffer_ = stringBuffer;
<a name="line106"></a>
<a name="line107"></a>  /**
<a name="line108"></a>   * A stack that holds how the handler is being called.
<a name="line109"></a>   * @type {Array}
<a name="line110"></a>   * @private
<a name="line111"></a>   */
<a name="line112"></a>  this.stack_ = [];
<a name="line113"></a>
<a name="line114"></a>  /**
<a name="line115"></a>   * Whether we are ignoring what is being processed or not.
<a name="line116"></a>   * @type {boolean}
<a name="line117"></a>   * @private
<a name="line118"></a>   */
<a name="line119"></a>  this.ignoring_ = false;
<a name="line120"></a>
<a name="line121"></a>  /**
<a name="line122"></a>   * A function to be applied to urls found on the parsing process.
<a name="line123"></a>   * @type {?function(string):string}
<a name="line124"></a>   * @private
<a name="line125"></a>   */
<a name="line126"></a>  this.urlPolicy_ = opt_urlPolicy;
<a name="line127"></a>
<a name="line128"></a>  /**
<a name="line129"></a>   * A function to be applied to names fround on the parsing process.
<a name="line130"></a>   * @type {?function(string):string}
<a name="line131"></a>   * @private
<a name="line132"></a>   */
<a name="line133"></a>  this.nmTokenPolicy_ = opt_nmTokenPolicy;
<a name="line134"></a>};
<a name="line135"></a>goog.inherits(
<a name="line136"></a>    goog.string.html.HtmlSanitizer,
<a name="line137"></a>    goog.string.html.HtmlSaxHandler);
<a name="line138"></a>
<a name="line139"></a>
<a name="line140"></a>
<a name="line141"></a>/**
<a name="line142"></a> * The HTML types the parser supports.
<a name="line143"></a> * @enum {number}
<a name="line144"></a> */
<a name="line145"></a>goog.string.html.HtmlSanitizer.AttributeType = {
<a name="line146"></a>  NONE: 0,
<a name="line147"></a>  URI: 1,
<a name="line148"></a>  URI_FRAGMENT: 11,
<a name="line149"></a>  SCRIPT: 2,
<a name="line150"></a>  STYLE: 3,
<a name="line151"></a>  ID: 4,
<a name="line152"></a>  IDREF: 5,
<a name="line153"></a>  IDREFS: 6,
<a name="line154"></a>  GLOBAL_NAME: 7,
<a name="line155"></a>  LOCAL_NAME: 8,
<a name="line156"></a>  CLASSES: 9,
<a name="line157"></a>  FRAME_TARGET: 10
<a name="line158"></a>};
<a name="line159"></a>
<a name="line160"></a>
<a name="line161"></a>/**
<a name="line162"></a> * A map of attributes to types it has.
<a name="line163"></a> * @enum {number}
<a name="line164"></a> */
<a name="line165"></a>goog.string.html.HtmlSanitizer.Attributes = {
<a name="line166"></a>  &#39;*::class&#39;: goog.string.html.HtmlSanitizer.AttributeType.CLASSES,
<a name="line167"></a>  &#39;*::dir&#39;: 0,
<a name="line168"></a>  &#39;*::id&#39;: goog.string.html.HtmlSanitizer.AttributeType.ID,
<a name="line169"></a>  &#39;*::lang&#39;: 0,
<a name="line170"></a>  &#39;*::onclick&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line171"></a>  &#39;*::ondblclick&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line172"></a>  &#39;*::onkeydown&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line173"></a>  &#39;*::onkeypress&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line174"></a>  &#39;*::onkeyup&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line175"></a>  &#39;*::onload&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line176"></a>  &#39;*::onmousedown&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line177"></a>  &#39;*::onmousemove&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line178"></a>  &#39;*::onmouseout&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line179"></a>  &#39;*::onmouseover&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line180"></a>  &#39;*::onmouseup&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line181"></a>  &#39;*::style&#39;: goog.string.html.HtmlSanitizer.AttributeType.STYLE,
<a name="line182"></a>  &#39;*::title&#39;: 0,
<a name="line183"></a>  &#39;*::accesskey&#39;: 0,
<a name="line184"></a>  &#39;*::tabindex&#39;: 0,
<a name="line185"></a>  &#39;*::onfocus&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line186"></a>  &#39;*::onblur&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line187"></a>  &#39;a::coords&#39;: 0,
<a name="line188"></a>  &#39;a::href&#39;: goog.string.html.HtmlSanitizer.AttributeType.URI,
<a name="line189"></a>  &#39;a::hreflang&#39;: 0,
<a name="line190"></a>  &#39;a::name&#39;: goog.string.html.HtmlSanitizer.AttributeType.GLOBAL_NAME,
<a name="line191"></a>  &#39;a::onblur&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line192"></a>  &#39;a::rel&#39;: 0,
<a name="line193"></a>  &#39;a::rev&#39;: 0,
<a name="line194"></a>  &#39;a::shape&#39;: 0,
<a name="line195"></a>  &#39;a::target&#39;: goog.string.html.HtmlSanitizer.AttributeType.FRAME_TARGET,
<a name="line196"></a>  &#39;a::type&#39;: 0,
<a name="line197"></a>  &#39;area::accesskey&#39;: 0,
<a name="line198"></a>  &#39;area::alt&#39;: 0,
<a name="line199"></a>  &#39;area::coords&#39;: 0,
<a name="line200"></a>  &#39;area::href&#39;: goog.string.html.HtmlSanitizer.AttributeType.URI,
<a name="line201"></a>  &#39;area::nohref&#39;: 0,
<a name="line202"></a>  &#39;area::onfocus&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line203"></a>  &#39;area::shape&#39;: 0,
<a name="line204"></a>  &#39;area::tabindex&#39;: 0,
<a name="line205"></a>  &#39;area::target&#39;: goog.string.html.HtmlSanitizer.AttributeType.FRAME_TARGET,
<a name="line206"></a>  &#39;bdo::dir&#39;: 0,
<a name="line207"></a>  &#39;blockquote::cite&#39;: goog.string.html.HtmlSanitizer.AttributeType.URI,
<a name="line208"></a>  &#39;br::clear&#39;: 0,
<a name="line209"></a>  &#39;button::accesskey&#39;: 0,
<a name="line210"></a>  &#39;button::disabled&#39;: 0,
<a name="line211"></a>  &#39;button::name&#39;: goog.string.html.HtmlSanitizer.AttributeType.LOCAL_NAME,
<a name="line212"></a>  &#39;button::onblur&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line213"></a>  &#39;button::onfocus&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line214"></a>  &#39;button::tabindex&#39;: 0,
<a name="line215"></a>  &#39;button::type&#39;: 0,
<a name="line216"></a>  &#39;button::value&#39;: 0,
<a name="line217"></a>  &#39;caption::align&#39;: 0,
<a name="line218"></a>  &#39;col::align&#39;: 0,
<a name="line219"></a>  &#39;col::char&#39;: 0,
<a name="line220"></a>  &#39;col::charoff&#39;: 0,
<a name="line221"></a>  &#39;col::span&#39;: 0,
<a name="line222"></a>  &#39;col::valign&#39;: 0,
<a name="line223"></a>  &#39;col::width&#39;: 0,
<a name="line224"></a>  &#39;colgroup::align&#39;: 0,
<a name="line225"></a>  &#39;colgroup::char&#39;: 0,
<a name="line226"></a>  &#39;colgroup::charoff&#39;: 0,
<a name="line227"></a>  &#39;colgroup::span&#39;: 0,
<a name="line228"></a>  &#39;colgroup::valign&#39;: 0,
<a name="line229"></a>  &#39;colgroup::width&#39;: 0,
<a name="line230"></a>  &#39;del::cite&#39;: goog.string.html.HtmlSanitizer.AttributeType.URI,
<a name="line231"></a>  &#39;del::datetime&#39;: 0,
<a name="line232"></a>  &#39;dir::compact&#39;: 0,
<a name="line233"></a>  &#39;div::align&#39;: 0,
<a name="line234"></a>  &#39;dl::compact&#39;: 0,
<a name="line235"></a>  &#39;font::color&#39;: 0,
<a name="line236"></a>  &#39;font::face&#39;: 0,
<a name="line237"></a>  &#39;font::size&#39;: 0,
<a name="line238"></a>  &#39;form::accept&#39;: 0,
<a name="line239"></a>  &#39;form::action&#39;: goog.string.html.HtmlSanitizer.AttributeType.URI,
<a name="line240"></a>  &#39;form::autocomplete&#39;: 0,
<a name="line241"></a>  &#39;form::enctype&#39;: 0,
<a name="line242"></a>  &#39;form::method&#39;: 0,
<a name="line243"></a>  &#39;form::name&#39;: goog.string.html.HtmlSanitizer.AttributeType.GLOBAL_NAME,
<a name="line244"></a>  &#39;form::onreset&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line245"></a>  &#39;form::onsubmit&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line246"></a>  &#39;form::target&#39;: goog.string.html.HtmlSanitizer.AttributeType.FRAME_TARGET,
<a name="line247"></a>  &#39;h1::align&#39;: 0,
<a name="line248"></a>  &#39;h2::align&#39;: 0,
<a name="line249"></a>  &#39;h3::align&#39;: 0,
<a name="line250"></a>  &#39;h4::align&#39;: 0,
<a name="line251"></a>  &#39;h5::align&#39;: 0,
<a name="line252"></a>  &#39;h6::align&#39;: 0,
<a name="line253"></a>  &#39;hr::align&#39;: 0,
<a name="line254"></a>  &#39;hr::noshade&#39;: 0,
<a name="line255"></a>  &#39;hr::size&#39;: 0,
<a name="line256"></a>  &#39;hr::width&#39;: 0,
<a name="line257"></a>  &#39;img::align&#39;: 0,
<a name="line258"></a>  &#39;img::alt&#39;: 0,
<a name="line259"></a>  &#39;img::border&#39;: 0,
<a name="line260"></a>  &#39;img::height&#39;: 0,
<a name="line261"></a>  &#39;img::hspace&#39;: 0,
<a name="line262"></a>  &#39;img::ismap&#39;: 0,
<a name="line263"></a>  &#39;img::longdesc&#39;: goog.string.html.HtmlSanitizer.AttributeType.URI,
<a name="line264"></a>  &#39;img::name&#39;: goog.string.html.HtmlSanitizer.AttributeType.GLOBAL_NAME,
<a name="line265"></a>  &#39;img::src&#39;: goog.string.html.HtmlSanitizer.AttributeType.URI,
<a name="line266"></a>  &#39;img::usemap&#39;: goog.string.html.HtmlSanitizer.AttributeType.URI_FRAGMENT,
<a name="line267"></a>  &#39;img::vspace&#39;: 0,
<a name="line268"></a>  &#39;img::width&#39;: 0,
<a name="line269"></a>  &#39;input::accept&#39;: 0,
<a name="line270"></a>  &#39;input::accesskey&#39;: 0,
<a name="line271"></a>  &#39;input::autocomplete&#39;: 0,
<a name="line272"></a>  &#39;input::align&#39;: 0,
<a name="line273"></a>  &#39;input::alt&#39;: 0,
<a name="line274"></a>  &#39;input::checked&#39;: 0,
<a name="line275"></a>  &#39;input::disabled&#39;: 0,
<a name="line276"></a>  &#39;input::ismap&#39;: 0,
<a name="line277"></a>  &#39;input::maxlength&#39;: 0,
<a name="line278"></a>  &#39;input::name&#39;: goog.string.html.HtmlSanitizer.AttributeType.LOCAL_NAME,
<a name="line279"></a>  &#39;input::onblur&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line280"></a>  &#39;input::onchange&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line281"></a>  &#39;input::onfocus&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line282"></a>  &#39;input::onselect&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line283"></a>  &#39;input::readonly&#39;: 0,
<a name="line284"></a>  &#39;input::size&#39;: 0,
<a name="line285"></a>  &#39;input::src&#39;: goog.string.html.HtmlSanitizer.AttributeType.URI,
<a name="line286"></a>  &#39;input::tabindex&#39;: 0,
<a name="line287"></a>  &#39;input::type&#39;: 0,
<a name="line288"></a>  &#39;input::usemap&#39;: goog.string.html.HtmlSanitizer.AttributeType.URI_FRAGMENT,
<a name="line289"></a>  &#39;input::value&#39;: 0,
<a name="line290"></a>  &#39;ins::cite&#39;: goog.string.html.HtmlSanitizer.AttributeType.URI,
<a name="line291"></a>  &#39;ins::datetime&#39;: 0,
<a name="line292"></a>  &#39;label::accesskey&#39;: 0,
<a name="line293"></a>  &#39;label::for&#39;: goog.string.html.HtmlSanitizer.AttributeType.IDREF,
<a name="line294"></a>  &#39;label::onblur&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line295"></a>  &#39;label::onfocus&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line296"></a>  &#39;legend::accesskey&#39;: 0,
<a name="line297"></a>  &#39;legend::align&#39;: 0,
<a name="line298"></a>  &#39;li::type&#39;: 0,
<a name="line299"></a>  &#39;li::value&#39;: 0,
<a name="line300"></a>  &#39;map::name&#39;: goog.string.html.HtmlSanitizer.AttributeType.GLOBAL_NAME,
<a name="line301"></a>  &#39;menu::compact&#39;: 0,
<a name="line302"></a>  &#39;ol::compact&#39;: 0,
<a name="line303"></a>  &#39;ol::start&#39;: 0,
<a name="line304"></a>  &#39;ol::type&#39;: 0,
<a name="line305"></a>  &#39;optgroup::disabled&#39;: 0,
<a name="line306"></a>  &#39;optgroup::label&#39;: 0,
<a name="line307"></a>  &#39;option::disabled&#39;: 0,
<a name="line308"></a>  &#39;option::label&#39;: 0,
<a name="line309"></a>  &#39;option::selected&#39;: 0,
<a name="line310"></a>  &#39;option::value&#39;: 0,
<a name="line311"></a>  &#39;p::align&#39;: 0,
<a name="line312"></a>  &#39;pre::width&#39;: 0,
<a name="line313"></a>  &#39;q::cite&#39;: goog.string.html.HtmlSanitizer.AttributeType.URI,
<a name="line314"></a>  &#39;select::disabled&#39;: 0,
<a name="line315"></a>  &#39;select::multiple&#39;: 0,
<a name="line316"></a>  &#39;select::name&#39;: goog.string.html.HtmlSanitizer.AttributeType.LOCAL_NAME,
<a name="line317"></a>  &#39;select::onblur&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line318"></a>  &#39;select::onchange&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line319"></a>  &#39;select::onfocus&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line320"></a>  &#39;select::size&#39;: 0,
<a name="line321"></a>  &#39;select::tabindex&#39;: 0,
<a name="line322"></a>  &#39;table::align&#39;: 0,
<a name="line323"></a>  &#39;table::bgcolor&#39;: 0,
<a name="line324"></a>  &#39;table::border&#39;: 0,
<a name="line325"></a>  &#39;table::cellpadding&#39;: 0,
<a name="line326"></a>  &#39;table::cellspacing&#39;: 0,
<a name="line327"></a>  &#39;table::frame&#39;: 0,
<a name="line328"></a>  &#39;table::rules&#39;: 0,
<a name="line329"></a>  &#39;table::summary&#39;: 0,
<a name="line330"></a>  &#39;table::width&#39;: 0,
<a name="line331"></a>  &#39;tbody::align&#39;: 0,
<a name="line332"></a>  &#39;tbody::char&#39;: 0,
<a name="line333"></a>  &#39;tbody::charoff&#39;: 0,
<a name="line334"></a>  &#39;tbody::valign&#39;: 0,
<a name="line335"></a>  &#39;td::abbr&#39;: 0,
<a name="line336"></a>  &#39;td::align&#39;: 0,
<a name="line337"></a>  &#39;td::axis&#39;: 0,
<a name="line338"></a>  &#39;td::bgcolor&#39;: 0,
<a name="line339"></a>  &#39;td::char&#39;: 0,
<a name="line340"></a>  &#39;td::charoff&#39;: 0,
<a name="line341"></a>  &#39;td::colspan&#39;: 0,
<a name="line342"></a>  &#39;td::headers&#39;: goog.string.html.HtmlSanitizer.AttributeType.IDREFS,
<a name="line343"></a>  &#39;td::height&#39;: 0,
<a name="line344"></a>  &#39;td::nowrap&#39;: 0,
<a name="line345"></a>  &#39;td::rowspan&#39;: 0,
<a name="line346"></a>  &#39;td::scope&#39;: 0,
<a name="line347"></a>  &#39;td::valign&#39;: 0,
<a name="line348"></a>  &#39;td::width&#39;: 0,
<a name="line349"></a>  &#39;textarea::accesskey&#39;: 0,
<a name="line350"></a>  &#39;textarea::cols&#39;: 0,
<a name="line351"></a>  &#39;textarea::disabled&#39;: 0,
<a name="line352"></a>  &#39;textarea::name&#39;: goog.string.html.HtmlSanitizer.AttributeType.LOCAL_NAME,
<a name="line353"></a>  &#39;textarea::onblur&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line354"></a>  &#39;textarea::onchange&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line355"></a>  &#39;textarea::onfocus&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line356"></a>  &#39;textarea::onselect&#39;: goog.string.html.HtmlSanitizer.AttributeType.SCRIPT,
<a name="line357"></a>  &#39;textarea::readonly&#39;: 0,
<a name="line358"></a>  &#39;textarea::rows&#39;: 0,
<a name="line359"></a>  &#39;textarea::tabindex&#39;: 0,
<a name="line360"></a>  &#39;tfoot::align&#39;: 0,
<a name="line361"></a>  &#39;tfoot::char&#39;: 0,
<a name="line362"></a>  &#39;tfoot::charoff&#39;: 0,
<a name="line363"></a>  &#39;tfoot::valign&#39;: 0,
<a name="line364"></a>  &#39;th::abbr&#39;: 0,
<a name="line365"></a>  &#39;th::align&#39;: 0,
<a name="line366"></a>  &#39;th::axis&#39;: 0,
<a name="line367"></a>  &#39;th::bgcolor&#39;: 0,
<a name="line368"></a>  &#39;th::char&#39;: 0,
<a name="line369"></a>  &#39;th::charoff&#39;: 0,
<a name="line370"></a>  &#39;th::colspan&#39;: 0,
<a name="line371"></a>  &#39;th::headers&#39;: goog.string.html.HtmlSanitizer.AttributeType.IDREFS,
<a name="line372"></a>  &#39;th::height&#39;: 0,
<a name="line373"></a>  &#39;th::nowrap&#39;: 0,
<a name="line374"></a>  &#39;th::rowspan&#39;: 0,
<a name="line375"></a>  &#39;th::scope&#39;: 0,
<a name="line376"></a>  &#39;th::valign&#39;: 0,
<a name="line377"></a>  &#39;th::width&#39;: 0,
<a name="line378"></a>  &#39;thead::align&#39;: 0,
<a name="line379"></a>  &#39;thead::char&#39;: 0,
<a name="line380"></a>  &#39;thead::charoff&#39;: 0,
<a name="line381"></a>  &#39;thead::valign&#39;: 0,
<a name="line382"></a>  &#39;tr::align&#39;: 0,
<a name="line383"></a>  &#39;tr::bgcolor&#39;: 0,
<a name="line384"></a>  &#39;tr::char&#39;: 0,
<a name="line385"></a>  &#39;tr::charoff&#39;: 0,
<a name="line386"></a>  &#39;tr::valign&#39;: 0,
<a name="line387"></a>  &#39;ul::compact&#39;: 0,
<a name="line388"></a>  &#39;ul::type&#39;: 0
<a name="line389"></a>};
<a name="line390"></a>
<a name="line391"></a>
<a name="line392"></a>/**
<a name="line393"></a> * @inheritDoc
<a name="line394"></a> */
<a name="line395"></a>goog.string.html.HtmlSanitizer.prototype.startTag =
<a name="line396"></a>    function(tagName, attribs) {
<a name="line397"></a>  if (this.ignoring_) {
<a name="line398"></a>    return;
<a name="line399"></a>  }
<a name="line400"></a>  if (!goog.string.html.HtmlParser.Elements.hasOwnProperty(tagName)) {
<a name="line401"></a>    return;
<a name="line402"></a>  }
<a name="line403"></a>  var eflags = goog.string.html.HtmlParser.Elements[tagName];
<a name="line404"></a>  if (eflags &amp; goog.string.html.HtmlParser.EFlags.FOLDABLE) {
<a name="line405"></a>    return;
<a name="line406"></a>  } else if (eflags &amp; goog.string.html.HtmlParser.EFlags.UNSAFE) {
<a name="line407"></a>    this.ignoring_ = !(eflags &amp; goog.string.html.HtmlParser.EFlags.EMPTY);
<a name="line408"></a>    return;
<a name="line409"></a>  }
<a name="line410"></a>  attribs = this.sanitizeAttributes_(tagName, attribs);
<a name="line411"></a>  if (attribs) {
<a name="line412"></a>    if (!(eflags &amp; goog.string.html.HtmlParser.EFlags.EMPTY)) {
<a name="line413"></a>      this.stack_.push(tagName);
<a name="line414"></a>    }
<a name="line415"></a>
<a name="line416"></a>    this.stringBuffer_.append(&#39;&lt;&#39;, tagName);
<a name="line417"></a>    for (var i = 0, n = attribs.length; i &lt; n; i += 2) {
<a name="line418"></a>      var attribName = attribs[i],
<a name="line419"></a>          value = attribs[i + 1];
<a name="line420"></a>      if (value !== null &amp;&amp; value !== void 0) {
<a name="line421"></a>        this.stringBuffer_.append(&#39; &#39;, attribName, &#39;=&quot;&#39;,
<a name="line422"></a>            this.escapeAttrib_(value), &#39;&quot;&#39;);
<a name="line423"></a>      }
<a name="line424"></a>    }
<a name="line425"></a>    this.stringBuffer_.append(&#39;&gt;&#39;);
<a name="line426"></a>  }
<a name="line427"></a>};
<a name="line428"></a>
<a name="line429"></a>
<a name="line430"></a>/**
<a name="line431"></a> * @inheritDoc
<a name="line432"></a> */
<a name="line433"></a>goog.string.html.HtmlSanitizer.prototype.endTag = function(tagName) {
<a name="line434"></a>  if (this.ignoring_) {
<a name="line435"></a>    this.ignoring_ = false;
<a name="line436"></a>    return;
<a name="line437"></a>  }
<a name="line438"></a>  if (!goog.string.html.HtmlParser.Elements.hasOwnProperty(tagName)) {
<a name="line439"></a>    return;
<a name="line440"></a>  }
<a name="line441"></a>  var eflags = goog.string.html.HtmlParser.Elements[tagName];
<a name="line442"></a>  if (!(eflags &amp; (goog.string.html.HtmlParser.EFlags.UNSAFE |
<a name="line443"></a>      goog.string.html.HtmlParser.EFlags.EMPTY |
<a name="line444"></a>      goog.string.html.HtmlParser.EFlags.FOLDABLE))) {
<a name="line445"></a>    var index;
<a name="line446"></a>    if (eflags &amp; goog.string.html.HtmlParser.EFlags.OPTIONAL_ENDTAG) {
<a name="line447"></a>      for (index = this.stack_.length; --index &gt;= 0;) {
<a name="line448"></a>        var stackEl = this.stack_[index];
<a name="line449"></a>        if (stackEl === tagName) {
<a name="line450"></a>          break;
<a name="line451"></a>        }
<a name="line452"></a>        if (!(goog.string.html.HtmlParser.Elements[stackEl] &amp;
<a name="line453"></a>            goog.string.html.HtmlParser.EFlags.OPTIONAL_ENDTAG)) {
<a name="line454"></a>          // Don&#39;t pop non optional end tags looking for a match.
<a name="line455"></a>          return;
<a name="line456"></a>        }
<a name="line457"></a>      }
<a name="line458"></a>    } else {
<a name="line459"></a>      for (index = this.stack_.length; --index &gt;= 0;) {
<a name="line460"></a>        if (this.stack_[index] === tagName) {
<a name="line461"></a>          break;
<a name="line462"></a>        }
<a name="line463"></a>      }
<a name="line464"></a>    }
<a name="line465"></a>    if (index &lt; 0) { return; }  // Not opened.
<a name="line466"></a>    for (var i = this.stack_.length; --i &gt; index;) {
<a name="line467"></a>      var stackEl = this.stack_[i];
<a name="line468"></a>      if (!(goog.string.html.HtmlParser.Elements[stackEl] &amp;
<a name="line469"></a>          goog.string.html.HtmlParser.EFlags.OPTIONAL_ENDTAG)) {
<a name="line470"></a>        this.stringBuffer_.append(&#39;&lt;/&#39;, stackEl, &#39;&gt;&#39;);
<a name="line471"></a>      }
<a name="line472"></a>    }
<a name="line473"></a>    this.stack_.length = index;
<a name="line474"></a>    this.stringBuffer_.append(&#39;&lt;/&#39;, tagName, &#39;&gt;&#39;);
<a name="line475"></a>  }
<a name="line476"></a>};
<a name="line477"></a>
<a name="line478"></a>
<a name="line479"></a>/**
<a name="line480"></a> * @inheritDoc
<a name="line481"></a> */
<a name="line482"></a>goog.string.html.HtmlSanitizer.prototype.pcdata = function(text) {
<a name="line483"></a>  if (!this.ignoring_) {
<a name="line484"></a>    this.stringBuffer_.append(text);
<a name="line485"></a>  }
<a name="line486"></a>};
<a name="line487"></a>
<a name="line488"></a>
<a name="line489"></a>/**
<a name="line490"></a> * @inheritDoc
<a name="line491"></a> */
<a name="line492"></a>goog.string.html.HtmlSanitizer.prototype.rcdata = function(text) {
<a name="line493"></a>  if (!this.ignoring_) {
<a name="line494"></a>    this.stringBuffer_.append(text);
<a name="line495"></a>  }
<a name="line496"></a>};
<a name="line497"></a>
<a name="line498"></a>
<a name="line499"></a>/**
<a name="line500"></a> * @inheritDoc
<a name="line501"></a> */
<a name="line502"></a>goog.string.html.HtmlSanitizer.prototype.cdata = function(text) {
<a name="line503"></a>  if (!this.ignoring_) {
<a name="line504"></a>    this.stringBuffer_.append(text);
<a name="line505"></a>  }
<a name="line506"></a>};
<a name="line507"></a>
<a name="line508"></a>
<a name="line509"></a>/**
<a name="line510"></a> * @inheritDoc
<a name="line511"></a> */
<a name="line512"></a>goog.string.html.HtmlSanitizer.prototype.startDoc = function() {
<a name="line513"></a>  this.stack_ = [];
<a name="line514"></a>  this.ignoring_ = false;
<a name="line515"></a>};
<a name="line516"></a>
<a name="line517"></a>
<a name="line518"></a>/**
<a name="line519"></a> * @inheritDoc
<a name="line520"></a> */
<a name="line521"></a>goog.string.html.HtmlSanitizer.prototype.endDoc = function() {
<a name="line522"></a>  for (var i = this.stack_.length; --i &gt;= 0;) {
<a name="line523"></a>    this.stringBuffer_.append(&#39;&lt;/&#39;, this.stack_[i], &#39;&gt;&#39;);
<a name="line524"></a>  }
<a name="line525"></a>  this.stack_.length = 0;
<a name="line526"></a>};
<a name="line527"></a>
<a name="line528"></a>
<a name="line529"></a>/**
<a name="line530"></a> * Escapes HTML special characters in attribute values as HTML entities.
<a name="line531"></a> *
<a name="line532"></a> * TODO(user): use {@code goog.string.htmlEscape} instead ?
<a name="line533"></a> * @param {string} s The string to be escaped.
<a name="line534"></a> * @return {string} An escaped version of {@code s}.
<a name="line535"></a> * @private
<a name="line536"></a> */
<a name="line537"></a>goog.string.html.HtmlSanitizer.prototype.escapeAttrib_ = function(s) {
<a name="line538"></a>  // Escaping &#39;=&#39; defangs many UTF-7 and SGML short-tag attacks.
<a name="line539"></a>  return s.replace(goog.string.html.HtmlParser.AMP_RE_, &#39;&amp;amp;&#39;).
<a name="line540"></a>      replace(goog.string.html.HtmlParser.LT_RE_, &#39;&amp;lt;&#39;).
<a name="line541"></a>      replace(goog.string.html.HtmlParser.GT_RE_, &#39;&amp;gt;&#39;).
<a name="line542"></a>      replace(goog.string.html.HtmlParser.QUOTE_RE_, &#39;&amp;#34;&#39;).
<a name="line543"></a>      replace(goog.string.html.HtmlParser.EQUALS_RE_, &#39;&amp;#61;&#39;);
<a name="line544"></a>};
<a name="line545"></a>
<a name="line546"></a>
<a name="line547"></a>/**
<a name="line548"></a> * Sanitizes attributes found on html entities.
<a name="line549"></a> * @param {string} tagName The name of the tag in which the {@code attribs} were
<a name="line550"></a> *     found.
<a name="line551"></a> * @param {Array.&lt;?string&gt;} attribs An array of attributes.
<a name="line552"></a> * @return {Array.&lt;?string&gt;} A sanitized version of the {@code attribs}.
<a name="line553"></a> * @private
<a name="line554"></a> */
<a name="line555"></a>goog.string.html.HtmlSanitizer.prototype.sanitizeAttributes_ =
<a name="line556"></a>    function(tagName, attribs) {
<a name="line557"></a>  for (var i = 0; i &lt; attribs.length; i += 2) {
<a name="line558"></a>    var attribName = attribs[i];
<a name="line559"></a>    var value = attribs[i + 1];
<a name="line560"></a>    var atype = null, attribKey;
<a name="line561"></a>    if ((attribKey = tagName + &#39;::&#39; + attribName,
<a name="line562"></a>        goog.string.html.HtmlSanitizer.Attributes.hasOwnProperty(attribKey)) ||
<a name="line563"></a>        (attribKey = &#39;*::&#39; + attribName,
<a name="line564"></a>        goog.string.html.HtmlSanitizer.Attributes.hasOwnProperty(attribKey))) {
<a name="line565"></a>      atype = goog.string.html.HtmlSanitizer.Attributes[attribKey];
<a name="line566"></a>    }
<a name="line567"></a>    if (atype !== null) {
<a name="line568"></a>      switch (atype) {
<a name="line569"></a>        case 0: break;
<a name="line570"></a>        case goog.string.html.HtmlSanitizer.AttributeType.SCRIPT:
<a name="line571"></a>        case goog.string.html.HtmlSanitizer.AttributeType.STYLE:
<a name="line572"></a>          value = null;
<a name="line573"></a>          break;
<a name="line574"></a>        case goog.string.html.HtmlSanitizer.AttributeType.ID:
<a name="line575"></a>        case goog.string.html.HtmlSanitizer.AttributeType.IDREF:
<a name="line576"></a>        case goog.string.html.HtmlSanitizer.AttributeType.IDREFS:
<a name="line577"></a>        case goog.string.html.HtmlSanitizer.AttributeType.GLOBAL_NAME:
<a name="line578"></a>        case goog.string.html.HtmlSanitizer.AttributeType.LOCAL_NAME:
<a name="line579"></a>        case goog.string.html.HtmlSanitizer.AttributeType.CLASSES:
<a name="line580"></a>          value = this.nmTokenPolicy_ ?
<a name="line581"></a>            this.nmTokenPolicy_(/** @type {string} */ (value)) : value;
<a name="line582"></a>          break;
<a name="line583"></a>        case goog.string.html.HtmlSanitizer.AttributeType.URI:
<a name="line584"></a>          value = this.urlPolicy_ &amp;&amp; this.urlPolicy_(
<a name="line585"></a>              /** @type {string} */ (value));
<a name="line586"></a>          break;
<a name="line587"></a>        case goog.string.html.HtmlSanitizer.AttributeType.URI_FRAGMENT:
<a name="line588"></a>          if (value &amp;&amp; &#39;#&#39; === value.charAt(0)) {
<a name="line589"></a>            value = this.nmTokenPolicy_ ? this.nmTokenPolicy_(value) : value;
<a name="line590"></a>            if (value) { value = &#39;#&#39; + value; }
<a name="line591"></a>          } else {
<a name="line592"></a>            value = null;
<a name="line593"></a>          }
<a name="line594"></a>          break;
<a name="line595"></a>        default:
<a name="line596"></a>          value = null;
<a name="line597"></a>          break;
<a name="line598"></a>      }
<a name="line599"></a>    } else {
<a name="line600"></a>      value = null;
<a name="line601"></a>    }
<a name="line602"></a>    attribs[i + 1] = value;
<a name="line603"></a>  }
<a name="line604"></a>  return attribs;
<a name="line605"></a>};
</pre>


</body>
</html>
